The CLI client (jenkins-cli.jar) in Jenkins 2.451 and earlier, LTS 2.440.2 and earlier bundles versions of the Apache MINA SSHD library that are susceptible to CVE-2023-48795 (Terrapin attack). This vulnerability allows a machine-in-the-middle attacker to reduce the security of an SSH connection. The above is fixed in 2.452 and LTS 2.440.3
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=77c13a83cffa6d587da5be93760a0c5ac08a4fbb commit 77c13a83cffa6d587da5be93760a0c5ac08a4fbb Author: Hans de Graaff <graaff@gentoo.org> AuthorDate: 2024-04-18 05:43:38 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-04-18 05:44:33 +0000 dev-util/jenkins-bin: add 2.440.3, 2.454 Bug: https://bugs.gentoo.org/930152 Signed-off-by: Hans de Graaff <graaff@gentoo.org> dev-util/jenkins-bin/Manifest | 2 ++ dev-util/jenkins-bin/jenkins-bin-2.440.3.ebuild | 44 +++++++++++++++++++++++++ dev-util/jenkins-bin/jenkins-bin-2.454.ebuild | 44 +++++++++++++++++++++++++ 3 files changed, 90 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9280407db804348a55a343cd0cfe2c3deaecdc35 commit 9280407db804348a55a343cd0cfe2c3deaecdc35 Author: Hans de Graaff <graaff@gentoo.org> AuthorDate: 2024-05-11 08:25:41 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-05-11 08:25:56 +0000 dev-util/jenkins-bin: drop 2.440.1, 2.440.2, 2.446 Bug: https://bugs.gentoo.org/930152 Signed-off-by: Hans de Graaff <graaff@gentoo.org> dev-util/jenkins-bin/Manifest | 3 -- dev-util/jenkins-bin/jenkins-bin-2.440.1.ebuild | 44 ------------------------- dev-util/jenkins-bin/jenkins-bin-2.440.2.ebuild | 44 ------------------------- dev-util/jenkins-bin/jenkins-bin-2.446.ebuild | 44 ------------------------- 4 files changed, 135 deletions(-)